Leonardo de Moura Microsoft Research. Many approaches Graph-based for difference logic: a – b 3...

Satisfiability Modulo Theories (SMT): ideas and applicationsUniversità Degli Studi Di MilanoScuola di Dottorato in Informatica, 2010

Leonardo de MouraMicrosoft Research

Linear Arithmetic

Many approachesGraph-based for difference logic: a – b 3Fourier-Motzkin elimination:

Standard SimplexGeneral Form Simplex

Difference Logic: a – b 5

Very useful in practice!

Most arithmetical constraints in software verification/analysis are in this fragment.

x := x + 1

x1 = x0 + 1

x1 - x0 1, x0 - x1 -1

Job shop scheduling

Difference Logic

Chasing negative cycles!Algorithms based on Bellman-Ford (O(mn)).

Standard Simplex

Many solvers (e.g., ICS, Simplify) are based on the Standard Simplex.

a - d + 2e = 3b - d = 1c + d - e = -1a, b, c, d, e ≥ 0

Standard Simplex


a - d + 2e = 3b - d = 1c + d - e = -1a, b, c, d, e ≥ 0

1 0 0 -1 20 1 0 -1 00 0 1 1 -1

abcde

3 1-1

=

Standard Simplex


a - d + 2e = 3b - d = 1c + d - e = -1a, b, c, d, e ≥ 0

1 0 0 -1 20 1 0 -1 00 0 1 1 -1

abcde

3 1-1

=

We say a,b,c are the basic (or dependent) variables

Standard Simplex


a - d + 2e = 3b - d = 1c + d - e = -1a, b, c, d, e ≥ 0

1 0 0 -1 20 1 0 -1 00 0 1 1 -1

abcde

3 1-1

=

We say a,b,c are the basic (or dependent) variables

We say d,e are the non-basic (or non- dependent) variables.

Standard Simplex

Incrementality: add/remove equationsSlow backtrackingNo theory propagation

Fast Linear Arithmetic

Simplex General FormAlgorithm based on the dual simplexNon redundant proofsEfficient backtrackingEfficient theory propagationSupport for string inequalities: t > 0Preprocessing stepInteger problems:

Gomory cuts, Branch & Bound, GCD test

General Form

From Definitions to a Tableau

s1 x + y, s2 x + 2y


s1 x + y, s2 x + 2y

s1 = x + y, s2 = x + 2y


s1 x + y, s2 x + 2y

s1 = x + y, s2 = x + 2y

s1 - x - y = 0

s2 - x - 2y = 0


s1 x + y, s2 x + 2y

s1 = x + y, s2 = x + 2y

s1 - x - y = 0

s2 - x - 2y = 0

s1, s2 are basic (dependent) x,y are non-basic

Pivoting

A way to swap a basic with a non-basic variable!It is just equational reasoning.Key invariant: a basic variable occurs in only one equation.Example: swap s1 and y

s1 - x - y = 0 s2 - x - 2y = 0

Pivoting


s1 - x - y = 0 s2 - x - 2y = 0

-s1 + x + y = 0 s2 - x - 2y = 0

Pivoting


s1 - x - y = 0 s2 - x - 2y = 0

-s1 + x + y = 0 s2 - x - 2y = 0

-s1 + x + y = 0 s2 - 2s1 + x = 0

Pivoting


s1 - x - y = 0 s2 - x - 2y = 0

-s1 + x + y = 0 s2 - x - 2y = 0

-s1 + x + y = 0 s2 - 2s1 + x = 0

It is just substituting equals by equals.

Pivoting


s1 - x - y = 0 s2 - x - 2y = 0

-s1 + x + y = 0 s2 - x - 2y = 0

-s1 + x + y = 0 s2 - 2s1 + x = 0


Definition:An assignment (model) is a mapping from variables to values

Key Property:If an assignment satisfies the equations before a pivoting step, then it will also satisfy them after!

Pivoting


s1 - x - y = 0 s2 - x - 2y = 0

-s1 + x + y = 0 s2 - x - 2y = 0

-s1 + x + y = 0 s2 - 2s1 + x = 0


Definition:An assignment (model) is a mapping from variables to values

Key Property:If an assignment satisfies the equations before a pivoting step, then it will also satisfy them after!

Example:M(x) = 1M(y) = 1M(s1) = 2M(s2) = 3

Equations + Bounds + Assignment

“Repairing Models”

If the assignment of a non-basic variable does not satisfy a bound, then fix it and propagate the change to all dependent variables.

a = c – db = c + dM(a) = 0M(b) = 0M(c) = 0M(d) = 01 c

a = c – db = c + dM(a) = 1M(b) = 1M(c) = 1M(d) = 01 c


If the assignment of a non-basic variable does not satisfy a bound, then fix it and propagate the change to all dependent variables. Of course, we may introduce new “problems”.

a = c – db = c + dM(a) = 0M(b) = 0M(c) = 0M(d) = 01 c a 0

a = c – db = c + dM(a) = 1M(b) = 1M(c) = 1M(d) = 01 ca 0


If the assignment of a basic variable does not satisfy a bound, then pivot it, fix it, and propagate the change to its new dependent variables.

a = c – db = c + dM(a) = 0M(b) = 0M(c) = 0M(d) = 01 a

c = a + db = a + 2dM(a) = 0M(b) = 0M(c) = 0M(d) = 01 a

c = a + db = a + 2dM(a) = 1M(b) = 1M(c) = 1M(d) = 01 a


Sometimes, a model cannot be repaired. It is pointless to pivot.

a = b – ca 0, 1 b, c 0M(a) = 1M(b) = 1M(c) = 0

The value of M(a) is too big. We can reduce it by:- reducing M(b)

not possible b is at lower bound- increasing M(c)

not possible c is at upper bound


s1 a + d, s2 c + d

a = s1 – s2 + ca 0, 1 s1, s2 0, 0 cM(a) = 1M(s1) = 1M(s2) = 0M(c) = 0

Extracting proof from failed repair attempts is easy.


s1 a + d, s2 c + d



{ a 0, 1 s1, s2 0, 0 c } is inconsistent


s1 a + d, s2 c + d



{ a 0, 1 s1, s2 0, 0 c } is inconsistent

{ a 0, 1 a + d, c + d 0, 0 c } is inconsistent

Strict Inequalities

Example

SMT@Microsoft

Example

Correctness

Completeness: trivialSoundness: also trivialTermination: non trivial.We cannot choose arbitrary variable to pivot.Assume the variables are ordered.Bland’s rule: select the smallest basic variable c that does not satisfy its bounds, then select the smallest non-basic in the row of c that can be used for pivoting.Too technical.Uses the fact that a tableau has a finite number of configurations. Then, any infinite trace will have cycles.

Data-structures

Array of rows (equations).Each row is a dynamic array of tuples:(coefficient, variable, pos_in_occs, is_dead)

Each variable x has a “set” (dynamic array) of occurrences: (row_idx, pos_in_row, is_dead)

Each variable x has a “field” row[x]row[x] is -1 if x is non basicotherwise, row[x] contains the idx of the row containing x

Each variable x has “fields”: lower[x], upper[x], and value[x]

Data-structures

rows: array of rows (equations).Each row is a dynamic array of tuples:(coefficient, variable, pos_in_occs, is_dead)

occs[x]: Each variable x has a “set” (dynamic array) of occurrences: (row_idx, pos_in_row, is_dead)

row[x]:row[x] is -1 if x is non basicotherwise, row[x] contains the idx of the row containing x

Other “fields”: lower[x], upper[x], and value[x]atoms[x]: atoms (assigned/unassigned) that contains x

Data-structures

s1 a + b, s2 c – b

p1 a 0, p2 1 s1, p3 1 s2

p1, p2 were already assigned

a - s1 + s2 + c = 0

b- c + s2 = 0

a 0, 1 s1

M(a) = 0 value[a] = 0M(b) = -1 value[a] = -1M(c) = 0 value[c] = 0M(s1) = 1 value[s1] = 1

M(s2) = 1 value[s2] = 1

rows = [[(1, a, 0, t), (-1, s1, 0, t), (1, s2, 1, t), (1, c, 0, t)],

[(1,b, 0, t), (-1, c, 1, t), (1, s2, 2, t)] ]

occs[a] = [(0, 0, f)]occs[b] = [(1,0,f)]occs[c] = [(0,3,f), (1,1,f)]occs[s1] = [(0,1,f)]

occs[s2] = [(0,0,t), (0,2,f), (1,2,f)]

row[a] = 0, row[b] = 1, row[c] = -1, …upper[a] = 0, lower[s1] = 1

atoms[a] = {p1}, atoms[s1] = {p2}, …

Combining Theories

In practice, we need a combination of theories.

b + 2 = c and f(read(write(a,b,3), c-2)) ≠ f(c-b+1)

A theory is a set (potentially infinite) of first-order sentences.

Main questions:Is the union of two theories T1 T2 consistent?

Given a solvers for T1 and T2, how can we build a solver forT1 T2?

Disjoint Theories

Two theories are disjoint if they do not share function/constant and predicate symbols.= is the only exception.

Example:The theories of arithmetic and arrays are disjoint.

Arithmetic symbols: {0, -1, 1, -2, 2, …, +, -, *, >, <, ≥, }Array symbols: { read, write }

Purification

It is a different name for our “naming” subterms procedure.

b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)

b + 2 = c, v6 ≠ v7

v1 3, v2 write(a, b, v1), v3 c-2, v4 read(v2, v3),v5 c-b+1, v6 f(v4), v7 f(v5)

Purification

It is a different name for our “naming” subterms procedure.


b + 2 = c, v6 ≠ v7

v1 3, v2 write(a, b, v1), v3 c-2, v4 read(v2, v3),v5 c-b+1, v6 f(v4), v7 f(v5)

b + 2 = c, v1 3, v3 c-2, v5 c-b+1,v2 write(a, b, v1), v4 read(v2, v3),v6 f(v4), v7 f(v5), v6 ≠ v7

Stably Infinite Theories

A theory is stably infinite if every satisfiable QFF is satisfiable in an infinite model.

EUF and arithmetic are stably infinite.

Bit-vectors are not.

Important Result

The union of two consistent, disjoint, stably infinite theories is consistent.

Convexity

A theory T is convex iff for all finite sets S of literals and

for all a1 = b1 … an = bn

S implies a1 = b1 … an = bn

iff S implies ai = bi for some 1 i n

Convexity: Results

Every convex theory with non trivial models is stably infinite.

All Horn equational theories are convex.formulas of the form s1 ≠ r1 … sn ≠ rn t = t’

Linear rational arithmetic is convex.

Convexity: Negative Results

Linear integer arithmetic is not convex 1 a 2, b = 1, c = 2 implies a = b a = c

Nonlinear arithmetica2 = 1, b = 1, c = -1 implies a = b a = c

Theory of bit-vectors

Theory of arraysc1 = read(write(a, i, c2), j), c3 = read(a, j)implies c1 = c2 c1 = c3

Combination of non-convex theories

EUF is convex (O(n log n))IDL is non-convex (O(nm))

EUF IDL is NP-CompleteReduce 3CNF to EUF IDLFor each boolean variable pi add 0 ai 1For each clause p1 p2 p3 add

f(a1, a2, a3) ≠ f(0, 1, 0)

Combination of non-convex theories

EUF is convex (O(n log n))IDL is non-convex (O(nm))

EUF IDL is NP-CompleteReduce 3CNF to EUF IDLFor each boolean variable pi add 0 ai 1For each clause p1 p2 p3 add

f(a1, a2, a3) ≠ f(0, 1, 0)

a1 ≠ 0 a2 ≠ 1 a3 ≠ 0

implies

Nelson-Oppen Combination

Soundness

Completeness

NO deterministic procedure(for convex theories)

NO deterministic procedureCompleteness

NO procedure: Example


Arithmeticb + 2 = c, v1 3, v3 c-2, v5 c-b+1

Arraysv2 write(a, b, v1), v4 read(v2, v3)

EUFv6 f(v4), v7 f(v5), v6 ≠ v7



Arithmeticb + 2 = c, v1 3, v3 c-2, v5 c-b+1

Arraysv2 write(a, b, v1), v4 read(v2, v3)

EUFv6 f(v4), v7 f(v5), v6 ≠ v7

Substituting c



Arithmeticb + 2 = c, v1 3, v3 b, v5 3

Arraysv2 write(a, b, v1), v4 read(v2, v3),

EUFv6 f(v4), v7 f(v5), v6 ≠ v7

Propagating v3 = b




Arraysv2 write(a, b, v1), v4 read(v2, v3),v3 = b

EUFv6 f(v4), v7 f(v5), v6 ≠ v7,v3 = b

Deducing v4 = v1




Arraysv2 write(a, b, v1), v4 read(v2, v3),v3 = b,v4 = v1

EUFv6 f(v4), v7 f(v5), v6 ≠ v7,v3 = b

Propagating v4 = v1



Arithmeticb + 2 = c, v1 3, v3 b, v5 3,v4 = v1


EUFv6 f(v4), v7 f(v5), v6 ≠ v7,v3 = b,v4 = v1

Propagating v5 = v1





EUFv6 f(v4), v7 f(v5), v6 ≠ v7,v3 = b,v4 = v1,v5 = v1

Congruence: v6 = v7





EUFv6 f(v4), v7 f(v5), v6 ≠ v7,v3 = b,v4 = v1,v5 = v1 , v6 = v7

Unsatisfiable

NO deterministic procedure

Deterministic procedure may fail for non-convex theories.

0 a 1, 0 b 1, 0 c 1,f(a) ≠ f(b),f(a) ≠ f(c),f(b) ≠ f(c)

Combining Procedures in Practice

Example

Model Mutation

Freedom Intervals

Model mutation without pivoting

For each non basic variable xj compute [Lj, Uj]

Each row containing xj enforces a limit on how much it can be increase and/or decreased without violating the bounds of the basic variable in the row.

Opportunistic Equality Propagation

We say a variable is fixed if the lower and upper bound are the same.1 x 1

A polynomial P is fixed if all its variables are fixed.

Given a fixed polynomial P of the forma 2x1 + x2,

we use M(P) to denote 2M(x1) + M(x2)

Opportunistic Equality Propagation

M

M M

M M

Non-stably infinite theories in practice

Reduction Functions

A reduction function reduces the satifiability problem for a complex theory into the satisfiability problem of a simpler theory.

Ackermannization is a reduction function.

Reduction Functions

EUF

Leonardo de Moura Microsoft Research. Many approaches Graph-based for difference logic: a – b 3...

Documents

Transcript of Leonardo de Moura Microsoft Research. Many approaches Graph-based for difference logic: a – b 3...